On The Limits of Detecting Process Anomalies in Critical Infrastructure

A. Mathur
{"title":"On The Limits of Detecting Process Anomalies in Critical Infrastructure","authors":"A. Mathur","doi":"10.1145/3198458.3198466","DOIUrl":null,"url":null,"abstract":"Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identify the conditions under which the methods either fail to detect an anomaly or cause false alarms. Using our analysis we reveal the inherent limitations of these methods that may lead to an unacceptable rate of false alarms, and their inability to detect coordinated cyber attacks. Our analysis is based on an increasingly complex series of attacker profiles, and affect graphs that capture state relationship among plant components, to reveal the strengths and limitations of both methods.","PeriodicalId":296635,"journal":{"name":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 4th ACM Workshop on Cyber-Physical System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3198458.3198466","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

Abstract

Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identify the conditions under which the methods either fail to detect an anomaly or cause false alarms. Using our analysis we reveal the inherent limitations of these methods that may lead to an unacceptable rate of false alarms, and their inability to detect coordinated cyber attacks. Our analysis is based on an increasingly complex series of attacker profiles, and affect graphs that capture state relationship among plant components, to reveal the strengths and limitations of both methods.
关键基础设施过程异常检测的局限性
关键基础设施是为社会提供基本服务的信息物理系统。这类基础设施包括发电和配电厂以及水处理和配电厂。有几个这样的工厂在高可用性约束下运行。正如过去的几起事件所证明的那样,在网络攻击日益增加的情况下,工厂满足可用性要求变得势在必行,也具有挑战性。这种攻击提高了在工厂中添加攻击预防、检测和安全控制机制的重要性。预防措施的目的是控制进出的网络流量,防止未经授权进入工厂。检测机制的目的是检测核电站是否像预期的那样运行,并发出警报。安全控制机制旨在确保电站在受到攻击时仍保持稳定状态。当预防机制失效时,检测机制应该检测所控制的进程是否正在进入不希望的状态,如果是,则发出适当的警报。虽然警报可能会提醒操作员,但可能为时已晚,并且可能已经发生损坏。为了防止这种损害,一个安全的控制机制确保即使电站进入异常状态,电站部件(如泵和发电机)也不会受到损坏,并且该过程在降级模式下继续运行。当工厂中正在进行的过程的状态与工厂设计不一致时,就说它是异常的。许多提出的检测机制依赖于过程的物理特性来检测异常行为。一些这样的机制已经在测试台上实现了。在这次演讲中,我们分析了两种检测过程异常的方法,即CUSUM方法[2]和基于状态纠缠概念的相对较新的方法[1]。这两种方法都是基于工厂中潜在过程的模型。CUSUM是一种统计技术,用于检测与过程变量对应的时间序列中的变化点。该方法使用两个参数,即偏差和阈值。偏差由所关注的过程变量的平均值确定。得到的偏差与预测的和观察到的工厂状态结合使用。当CUSUM统计数据超过预先指定的阈值时,进程就会改变其行为。变更的发生意味着流程异常。状态纠缠利用植物的一个或多个组件的联合状态空间来构建由植物运行过程中禁止状态组成的状态空间。组件的禁止状态空间导致一个或多个不变量。由此导出的不变量被编码为监视器,并放置在植物网络和控制器中。当进程进入禁止状态时,监视器会发出警报。虽然上述两种方法都经过了实验评估,但我们希望确定这些方法无法检测到异常或导致假警报的条件。通过我们的分析,我们揭示了这些方法的固有局限性,这些局限性可能导致不可接受的假警报率,以及它们无法检测协调的网络攻击。我们的分析基于一系列越来越复杂的攻击者配置文件,以及捕获植物组件之间状态关系的影响图,以揭示两种方法的优势和局限性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信